WordPress security is something that you need to be very well aware of, if you have a WordPress site.
So you have a WordPress website (I assume so, since you are reading this post about WordPress security)? Is it secure? You might think so, but there are numerous vulnerabilities that could make your WordPress website insecure.
While you can immediately smell some of the hack attempts (in the form of a broken website or reports from your visitors), there are various types of hacks where you cannot find out if your site is already hacked or not.
I know this sounds scary but it is your responsibility as the site owner to keep your WordPress site secure.
Now, “hack” doesn’t essentially mean that someone got into your site, and removed all the content and have put up a static page like one of these!
There is more to hacking. There are various kinds of hacking that I will not go into detail in this post. Some types of hacks do not aim to bring your site down or crash your business but they aim at using your business and traffic for their benefit.
There could be a vulnerable plugin that could open doors to hackers or add malicious bits of code that could add a link to a questionable website without your knowledge. Or there could be a code that redirects particular keywords to questionable landing pages, without your knowledge.
This kinda hacking recently happened to my tech site where a vulnerable plugin added a piece of malicious code and I had pages like this on search results (even more, the sitelinks themselves!).
When you click on those links they directly go to a casino site – the url at the address bar would be from my site! How clever :)!
I removed that particular plugin (it took us a while to figure out what caused the code to be placed) and then those links now show as 404 pages on my site.
I have filed a demote request to Google on the sitelinks though!
Anyways, that’s my personal story. I also earlier had an experience with Timthumb plugin.
So…. how do you keep your WordPress website secure? Let’s get to the tips!
WordPress security top tip: Stay up-to-date
I cannot stress this point enough and I can say that most website owners take this very light. Not everyone is keen on keeping their WordPress site updated.
I can say this from experience. Most of the WordPress site maintenance clients who come to us as new customers have their sites un-updated. When we start working on a new site (for maintenance) we usually find that the site has un-updated themes and plugins.
When I talk about staying updated, it is important to note that you need to update your unused themes and plugins as well. If you have a bunch of unused/deactivated plugins don’t think you can leave them un-updated.
As long as the old/un-updated files stay on your server they are a potential doorway for the bad guys.
Usernames and passwords
Now, this one is a trivial thing. Many website owners just use the default “admin” account for administration purposes. There is no surprise that an “admin” user account with a password “password” will get hacked for sure.
There is no point in crying over spilt milk. It is not rocket science to create a new account for administrative purposes and then delete the default WordPress admin account. I usually do that.
I create a new user account with admin privileges and then delete the default “admin” user account. Also make sure that you use a really strong password. Your first name followed by your year of birth is not a strong password.
Create a really strong password by using a combination of uppercase and lower case letters and numbers and characters. If you worry about remembering a strong password you could use a service like LastPass (LastPass can also generate strong passwords for you).
Ditch unused plugins or themes
Look at your installed themes and plugins list. If you are having a lot of unused stuff (in deactivated mode), take a good closer look and delete those that you won’t be using.
There are some plugins that you used for one time purpose like an import from blogger or a meta data import. That is one time usage and you probably won’t need that plugin again on this site. Delete such plugins.
As I said earlier, unused plugins or themes could be used as doors by the hackers. You could be thinking that you are only using 1 theme and a handful of plugins and that it makes sense to keep them updated and in watch. But those unused stuff could cause danger too.
Just delete all the stuff that you don’t use. This not only lessens the chances of a potential hack, but also keeps your website lite.
Be careful about what you upload to your site
If you are going to install new plugins, or themes make sure you do from within the WordPress dashboard. Always install plugins or themes from the WordPress repository and from within the dashboard.
Anything you download as a .zip from from any third party website could be a potential threat to your site coz you don’t know what comes along with the plugin/theme files in the .zip file.
If you were to install premium/professional themes like Genesis, that’s fine. Just make sure that the premium theme provider has a good standing (StudioPress, in the case of Genesis, has an excellent standing in the market).
Stay immune to brute force attacks
So what are brute force attacks? It is just the hackers attempting to login to your site with a determination to get in no matter what. They are determined to hack your site and they will attempt to login to your site until they are successful.
They will just try all possible combinations of usernames and passwords (after they have made their initial guess) until they succeed.
Although having a strong password would help you against brute force login attempts, one cannot guarantee the same.
So what can you do?
A simple solution would be to install the Limit login attempts plugin.
But if you do not want to add an additional plugin to your site for this purpose alone and if you can handle some “code” here’s what you can do instead.
You could hide the .htaccess file and the wp-config.php file! In order to do so, please add the following lines of code to your .htaccess file –
To protect wp-config.php file:
<Files wp-config.php> order allow,deny deny from all </Files>
To protect .htaccess file:
<Files .htaccess> order allow,deny deny from all </Files>
Other vital things to do for WordPress security (part of on-going maintenance)
- Have a security scanner or monitor in place. Sucuri is such a service that can scan your site for suspicious activity (you could use the free option for regular manual scan).
- Exploit scanner is a plugin that will scan your files, comments, database etc. for anything suspicious.
- Use a CDN (you could use a free one like CloudFlare) – although CDNs are best known to boost your site’s speed, they are great at preventing hack attempts in the first place by filtering out suspicious visits.
- Report vulnerabilities to WordPress! If it is a general WordPress issue you could email firstname.lastname@example.org or if it is particularly plugin related issue or a bug, you could report it to email@example.com. You will be doing yourself and the community a favor.
- Back up your site quite often. You know, if nothing else works, your backup will save you the nightmare!
- Last, but not the least, leave it all to us! We can do it all for you to keep your site properly maintained via the WordPress maintenance service.
Got any more tips on WordPress security? Share it with us in the comments!